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In the Claims: 



1. (Canceled) A computer-implemented method comprising: 

at a network-address-translation (NAT) component, performing address translation at a 
packet level of a stream of packets originating from a client and destined for a server, the address 
translation redirecting the packets to a proxy component and masking a source of the packets; 
and, 

at the proxy component, performing filtering at a stream level of the stream of 
packets, the proxy component transmitting the packets to the server. 

2. (Canceled) The method of claim 1 , further comprising: 

at the proxy component, performing filtering at a stream level of a second stream of 
packets originating from the server and ostensibly destined for the NAT component, the proxy 
component transmitting the packets of the second stream to the NAT component; and, 

at the NAT component, performing address translation at a packet level of the second 
stream of packets, the address translation redirecting the packets to the client. 

3. (Canceled) The method of claim 1, further initially comprising, at a client, 
transmitting the stream of packets to the NAT component, the NAT component specified as a 
gateway at the client. 

4. (Canceled) The method of claim 1 , wherein the address translation redirects the 
packets to a socket of the proxy component. 

5. (Canceled) The method of claim 1 , wherein the proxy component transmits the packets 
from a socket thereof to the server. 

6. (Canceled) *A machine-readable medium having instructions stored thereon for execution 
by a processor to perform a method comprising: 
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performing address translation at a packet level of a stream of packets originating from a 
client and destined for a server via network-address-translation (NAT), the address translation 
redirecting the packets to a first proxy socket and masking a source of the packets; and, 

performing filtering at a stream level of the stream of packets, the packets 
subsequentiy transmitted from a second proxy socket to the server. 

7. (Canceled) The medium of claim 6, the method fiirther comprising: 

performing filtering at a stream level of a second stream of packets originating from the server 
and ultimately destined for the client, the packets received from the server at the second proxy socket 
and subsequently transmitted from the first proxy socket; and, 

performing address translating at a packet level of the second stream of packets, the address 
translation redirecting the packets to the client. 

8. (Canceled) A computerized system comprising: 
a client; 

a server with which the client communicates via a first stream of packets from the client to the 
server and a second stream of packets from the server to the chent; and, 

a network-address-translation (NAT)/proxy device designed to perform address translation at 
a packet level of the first and the second streams of packets, and to perform filtering at a stream 
level of the first and the second streams of packets. 



9. (Canceled) The system of claim 8, wherein the NAT/proxy device comprises: 

a NAT component designed to perform address translation at a packet level of the first and 
the second streams of packets; and, 

a proxy component designed to perform filtering at a stream level of the first and the 
second streams of packets. 
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10. (Canceled) The system of claim 9, wherein the NAT component is further designed to 
redirect the packets of the first stream to the proxy component and mask a source of the packets. 

11. (Canceled) The system of claim 9, wherein the NAT component is further designed to 
redirect the packets of the second stream to the client. 

12. (Canceled) The system of claim 9, wherein the proxy component is further designed to 
transmit the packets of the first stream to the server. 

13. (Canceled) The system of claim 9, wherein the proxy component is further designed to 
transmit the packets of the second stream to the NAT component. 

14. (Canceled) The system of claim 9, wherein the proxy component has a first socket at 
which to receive the packets of the first stream from the NAT component and from which to send 
the packets of the second stream to the NAT component, and a second socket at which to receive 
the packets of the second stream from the server and from which to send the packets of the first 
stream to the server. 

15. (Canceled) A network-address-translation (NAT)/proxy device comprising: 

first means for performing address translation at a packet level of a first stream of packets 
from a client to a server and of a second stream of packets from the server to the client; and, 

second means for performing filtering at a stream level of the first and the second streams of 
packets. 

16. (Canceled) The device of claim 1 5, wherein the first means is further for redirecting the 
packets of the first stream to the second means and for masking a source of the packets of the first 
stream, and to redirect the packets of the second stream to the client. 
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17. (Canceled) The device of claim 15, wherein the second means is further for 
transmitting the packets of the first stream to the server, and to transmit the packets of the second 
stream to the first means. 

18. (Canceled) The device of claim 15, wherein the second means has a first socket at 
which to receive the packets of the first stream fi:om the first means and from which to send the 
packets of the second stream to the first means, and a second socket at which to receive the 
packets of the second stream from the server and from which to send the packets of the first 
stream to the server. 

19. (New) A method for securing data communication between a client in an internal 
network and a server in an extemal network by way of a proxy server in the internal network, the 
method comprising: 

performing at the proxy server a network address translation upon a stream of packets 
originating from the client; 

filtering at the proxy server the stream of packets such that the filtering is transparent to 
the client; and 

transmitting at the proxy server the packets to the server after the packets are filtered. 

20. (New) The method of claim 19, fiirther comprising: 

filtering at the proxy server a second stream of packets originating from the server in the 
extemal network; 

performing at the proxy server a reverse network address translation upon the packets in 
the second stream; and 

transmitting at the proxy server the packets in the second stream after the packets are 
filtered. 

21 . (New) A computer-readable medium having instructions stored thereon for 
execution by a processor to perform the method of claim 19. 
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22. (New) A system for securing data communication across an external computer 
network, comprising: 

a client located in an internal computer network; 

a server located in the external computer network and in commimication with the client; 

and 

a proxy device in the internal computer network and comprising components for (1) 
performing a network address translation upon a stream of packets originating from the client 
and (2) filtering the stream of packets and transmitting the packets to the server such that the 
filtering is transparent to the client. 

23. (New) The system of claim 22, wherein the components of the proxy device 
comprise: 

a first component for filtering said stream of packets and also filtering a second stream of 
packets originating fi-om the server; and a second component for performing said network 
address translation and also for performing a reverse network address translation upon the 
packets in the second stream and transmitting the packets in the second stream to the client. 

24. (New) A proxy device located in an intemal network, comprising: 
routines for performing a network address translation upon a stream of packets 

originating fi"om a client in the intemal network, where the client is communicating the stream of 
packets to a server located in an extemal network; 

routines for filtering the stream of packets such that the filtering is transparent to the 
client; and 

routines for transmitting the packets to the server after the packets are filtered. 

25. (New) The proxy device of claim 24, fiirther comprising: 
routines for filtering a second stream of packets originating fi-om the server; 
routines for performing a reverse network address translation upon the packets in the 

second stream; and 

routines for transmitting the packets in the second stream to the client. 



